+- Micro Focus QTP (UFT) Forums (https://www.learnqtp.com/forums)
+-- Forum: General (https://www.learnqtp.com/forums/Forum-General)
+--- Forum: Posting Guidelines/Disclaimer (https://www.learnqtp.com/forums/Forum-Posting-Guidelines-Disclaimer)
+--- Thread: Is it safe to keep a plain text password retrieved from a password vault(CyberArk) in (/Thread-Is-it-safe-to-keep-a-plain-text-password-retrieved-from-a-password-vault-CyberArk-in)
Is it safe to keep a plain text password retrieved from a password vault(CyberArk) in - raivivan - 06-29-2023
I have an application that has an image upload feature, the images are stored on a 3rd party service which is basically an SFTP server. The credentials for accessing this storage were initially hard-coded in the java service class itself, and to secure it, I am planning to keep the SFTP server credentials in a password vault(CyberArk) and then retrieve the credential programmatically (when the application starts up) using the cyberArk REST API and certificate auth method. After retrieving the credentials from the vault, I plan to keep the password in memory and use it for subsequent communication with the SFTP server. Is this the correct approach? Or will this still be a security risk?
Note1: this is a Java Struts2 application and deployed as a war on JBoss server.
Note2: I read in some places that its safer to use char array instead of a string to store a password, but not sure if that is enough.